If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Xss

This was a vulnerability in the past, but was never properly fixed. About a month ago I contacted the AO admin's about it and provided a PoC, however I never received a response after its acknowledgement and the hole was never fixed. I decided while going over this thread that I owe it to the community to publicize what I found:http://www.antionline.com/showthread...hreadid=265153

Overview:Cross Site Scripting (XSS) attacks are possible in the username field of karma.php. XSS attacks are scripts injected
through user provided information to carry sensitive information into another zone. In this case, JavaScript can be
injected into any the username field. Although there are precautions taken by Antionline.com to prevent this, input
sanitization is incomplete.
By inserting malicious JavaScript into karma.php an attacker can forward the cookies of members that click a malicious
link. Antionline.com allows users to authenticate themselves through cookies, allowing attackers to impersonate victims
through stolen cookies.